HITRUST CSF 11.5 - AWS
This page lists all 130 policies in the HITRUST CSF 11.5 pack for AWS.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| api-gateway-authorization | Ensures API Gateway methods use strong authorization instead of NONE | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| iam-role-session-duration | Enforces maximum session duration for IAM roles | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| kms-grant-access-control | Validates KMS grants for least privilege access control | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| kms-key-policy-access-control | Validates KMS key policies for least privilege and separation of duties | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| rds-iam-authentication | Ensures RDS instances have IAM database authentication enabled | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| restrict-default-iam-user-creation | Ensures that default IAM user accounts are not allowed to be created | 01.b User Registration | User registration shall be used for authorizing and enabling access to information systems and services and for revoking access rights. |
| iam-password-policy-minimum-password-length | Ensure IAM password policy requires minimum length of 14 or greater. | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-password-policy-prevent-reuse | Ensure IAM password policy prevents password reuse. | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| lambda-permission-configure-source-arn | Checks that lambda function permissions have a source arn specified. | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-group-policy-least-privilege | Ensures IAM group policies follow least privilege principles | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-policy-least-privilege | Ensures IAM policies follow least privilege principles | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-role-least-privilege | Ensures IAM roles follow least privilege principles | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-role-policy-least-privilege | Ensures IAM role policies follow least privilege principles | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-user-policy-least-privilege | Ensures IAM user policies follow least privilege principles | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| pubsub-least-privilege-iam | Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis) | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| iam-role-assume-role-mfa-enforcement | Ensures IAM roles require MFA when assumed by human users (not AWS services) | 01.p Secure Log-on Procedures | Log-on procedures shall be designed to minimize the opportunity for unauthorized access. Log-on procedures shall reveal the minimum of information necessary to allow authorized users to recognize that they have accessed the appropriate system. |
| iam-user-mfa-console-access | Ensures IAM users with console access have MFA devices | 01.p Secure Log-on Procedures | Log-on procedures shall be designed to minimize the opportunity for unauthorized access. Log-on procedures shall reveal the minimum of information necessary to allow authorized users to recognize that they have accessed the appropriate system. |
| no-direct-user-access-keys | Prevents creation of direct IAM user access keys for human users | 01.p Secure Log-on Procedures | Log-on procedures shall be designed to minimize the opportunity for unauthorized access. Log-on procedures shall reveal the minimum of information necessary to allow authorized users to recognize that they have accessed the appropriate system. |
| limit-lambda-execution-time | Ensures that AWS Lambda functions are configured to time out after a specified duration to prevent extended access | 01.u Limitation of Connection Time | Inactive sessions shall shut down after a defined period of inactivity. |
| s3-bucket-least-privilege | Prevents overly permissive S3 bucket policies | 01.v Information Access Restriction | Access to systems and applications shall be restricted in accordance with the access control policy. |
| vpc-endpoint-security-policy | Ensures that VPC endpoints are associated with security policies that limit access to specified resources | 01.v Information Access Restriction | Access to systems and applications shall be restricted in accordance with the access control policy. |
| athena-database-disallow-unencrypted-database | Checks that Athena Databases storage is encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| athena-workgroup-disallow-unencrypted-workgroup | Checks that Athena Workgroups are encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ebs-volume-disallow-unencrypted-volume | Checks that EBS volumes are encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ec2-instance-disallow-unencrypted-block-device | Checks that EC2 instances do not have unencrypted block devices. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ec2-instance-disallow-unencrypted-root-block-device | Checks that EC2 instances does not have unencrypted root volumes. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ec2-launch-configuration-disallow-unencrypted-block-device | Checks that EC2 Launch Configurations do not have unencrypted block devices. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ec2-launch-configuration-disallow-unencrypted-root-block-device | Checks that EC2 launch configuration do not have unencrypted root block device. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ec2-launch-template-disallow-unencrypted-block-device | Checks that EC2 Launch Templates do not have unencrypted block device. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| ecr-repository-disallow-unencrypted-repository | Checks that ECR Repositories are encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| efs-file-system-disallow-unencrypted-file-system | Checks that EFS File Systems do not have an unencrypted file system. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| eks-cluster-enable-cluster-encryption-config | Check that EKS Cluster Encryption Config is enabled. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-cluster-configure-customer-managed-key | Checks that RDS Clusters storage uses a customer-managed KMS key. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-instance-configure-customer-managed-key | Checks that RDS Instance storage uses a customer-managed KMS key. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-instance-disallow-unencrypted-storage | Checks that RDS instance storage is encrypted. | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| kinesis-stream-retention | Ensures Kinesis streams have retention periods configured | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| no-hardcoded-secrets | Ensures EC2 instances do not contain hardcoded secrets | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-cluster-secure-master-credentials | Ensures RDS clusters use secure credential management instead of hardcoded passwords | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| rds-secure-master-credentials | Ensures RDS instances use secure credential management instead of hardcoded passwords | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| s3-bucket-lifecycle | Ensures each S3 bucket has lifecycle rules configured for retention/disposal | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| s3-bucket-macie-access | Ensures S3 buckets allow AWS Macie access for data classification and discovery | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| s3-bucket-versioning | S3 buckets must have versioning enabled using BucketVersioning resource | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| sqs-encryption | Ensures SQS queues have server-side encryption enabled | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| sqs-message-retention | Ensures SQS queues have message retention periods configured | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| vpc-flow-logs | Ensures VPC flow logs use approved destinations for centralized monitoring | 09.aa Audit Logging | The organization shall ensure that audit logs are enabled and monitored for sensitive systems. |
| lambda-function-documentation | Ensures all AWS Lambda functions have a documented description attribute | 09.b Change Management | Changes to systems, applications and supporting infrastructure shall be controlled. |
| resource-tagging | Ensures all AWS resources must include tags for proper change tracking | 09.b Change Management | Changes to systems, applications and supporting infrastructure shall be controlled. |
| environment-separation-tagging | Ensures that resources are tagged to distinguish between production and non-production environments | 09.d Separation of Development, Test, and Operational Environments | Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. |
| s3-bucket-access-logging | Ensures each S3 bucket has access logging enabled | 09.e Service Delivery | Policy ensures compliance with HITRUST security requirements. |
| api-gateway-waf-association | Ensures public-facing API Gateways have WAF associations | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| appsync-waf-association | Ensures public-facing AppSync GraphQL APIs have WAF associations | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| cloudfront-distribution-configure-waf | Checks that any CloudFront distribution has a WAF ACL associated. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| ec2-instance-disallow-public-ip | Checks that EC2 instances do not have a public IP address. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| ec2-launch-configuration-disallow-public-ip | Checks that EC2 Launch Configurations do not have a public IP address. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| ec2-launch-template-disallow-public-ip | Checks that EC2 Launch Templates do not have public IP addresses. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| ec2-security-group-disallow-inbound-http-traffic | Check that EC2 Security Groups do not allow inbound HTTP traffic. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| eks-cluster-disallow-api-endpoint-public-access | Check that EKS Clusters API Endpoint are not publicly accessible. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| s3-bucket-disallow-public-read | Checks that S3 Bucket ACLs don’t allow ‘public-read’ or ‘public-read-write’ or ‘authenticated-read’. | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| cloudfront-waf-association | Ensures CloudFront distributions have WAF associations | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| database-strict-network-access | Ensures RDS instances have strict network access controls | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| load-balancer-waf-association | Ensures public-facing Load Balancers have WAF associations | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| rds-private-subnet-validation | Validates that RDS DB subnet groups contain only private subnets | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| s3-bucket-public-access-block | Ensures each S3 bucket has a public access block with all settings enabled | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| security-group-default-deny | Ensures Security Groups follow default deny with explicit allow principle | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| security-group-strict | Ensures security groups follow strict firewall rules with default deny | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| subnet-multi-az | Ensures subnets are distributed across multiple availability zones | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| waf-association-validation | Validates WAF Web ACL associations are properly configured | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| api-gateway-access-logging | Ensures API Gateway stages have access logging enabled | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| api-gateway-v2-access-logging | Ensures API Gateway V2 stages have access logging enabled | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| api-gateway-v2-stage-configure-access-logging | Checks that any ApiGatewayV2 Stages have access logging configured. | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| api-gateway-v2-stage-enable-access-logging | Checks that any ApiGatewayV2 Stages have access logging enabled. | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| cloudfront-distribution-configure-access-logging | Checks that any CloudFront distributions have access logging configured. | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| cloudfront-distribution-enable-access-logging | Checks that any CloudFront distributions have access logging enabled. | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| elb-load-balancer-configure-access-logging | Check that ELB Load Balancers uses access logging. | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| centralized-os-app-logging | Ensures EC2 instances have logging agents configured to forward OS/application logs to central system | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| rds-audit-logging | Ensures RDS instances have audit logging enabled | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| vpc-subnet-flow-logs | Ensures all VPCs and subnets have flow logs enabled | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| dynamodb-streams-enabled | Enforces that all DynamoDB tables have Stream settings enabled to capture all changes | 10.c Control of Internal Processing | Input data validation and output controls shall be applied to safeguard against errors, loss, unauthorized modification or misuse of information in applications. |
| lambda-environment-variables-encryption | Ensures that all Lambda functions have their environment variables encrypted using AWS KMS | 10.d Message Integrity | Integrity shall be applied to messages using cryptography or digital signatures, where deemed appropriate. |
| lambda-function-logging | Ensures that all AWS Lambda functions have logging enabled to track output data processing | 10.e Output Data Validation | Output data from applications shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. |
| api-gateway-domain-name-configure-security-policy | Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| api-gateway-v2-domain-name-configure-domain-name-security-policy | Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| api-gateway-v2-domain-name-enable-domain-name-configuration | Checks that any ApiGatewayV2 Domain Name Configuration is enabled. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| appflow-connector-profile-configure-customer-managed-key | Check that AppFlow ConnectorProfile uses a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| appflow-flow-configure-customer-managed-key | Check that AppFlow Flow uses a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| athena-database-configure-customer-managed-key | Checks that Athena Databases storage uses a customer-managed-key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| athena-workgroup-configure-customer-managed-key | Checks that Athena Workgroups use a customer-managed-key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| cloudfront-distribution-configure-secure-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| cloudfront-distribution-configure-secure-tls | Checks that CloudFront distributions uses secure/modern TLS encryption. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| cloudfront-distribution-disallow-unencrypted-traffic | Checks that CloudFront distributions only allow encypted ingress traffic. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| cloudfront-distribution-enable-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS encryption. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| ebs-volume-configure-customer-managed-key | Check that encrypted EBS volumes use a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| ec2-launch-template-configure-customer-managed-key | Check that encrypted EBS volume uses a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| ecr-repository-configure-customer-managed-key | Checks that ECR repositories use a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| efs-file-system-configure-customer-managed-key | Check that encrypted EFS File system uses a customer-managed KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| elb-load-balancer-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| kms-key-enable-key-rotation | Checks that KMS Keys have key rotation enabled. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| secrets-manager-secret-configure-customer-managed-key | Check that Secrets Manager Secrets use a customer-manager KMS key. | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| kms-key-creation | Validates KMS key creation with appropriate specifications and origins | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| kms-key-deletion-lifecycle | Validates KMS key deletion windows and lifecycle management | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| rds-clusterinstance-ssl-encryption | Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| rds-instance-ssl-encryption | Ensures RDS instances have SSL/TLS encryption enabled through parameter group configuration | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| security-group-ssh-rdp | Ensures security groups do not allow SSH/RDP from the internet | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization |
| athena-workgroup-enforce-configuration | Checks that Athena Workgroups enforce their configuration to their clients. | 10.h Control of Operational Software | The installation of software on operational systems shall be controlled. |
| ecr-repository-disallow-mutable-image | Checks that ECR Repositories have immutable images enabled. | 10.h Control of Operational Software | The installation of software on operational systems shall be controlled. |
| lambda-runtime-restrictions | Ensures that AWS Lambda functions are created only with approved runtime versions | 10.h Control of Operational Software | The installation of software on operational systems shall be controlled. |
| rds-instance-managed-service-patching | Ensures RDS instances have automated minor version upgrades enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| rds-clusterinstance-managed-service-patching | Ensures RDS cluster instances have automated minor version upgrades enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| neptune-clusterinstance-managed-service-patching | Ensures Neptune cluster instances have automated minor version upgrades enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| docdb-clusterinstance-managed-service-patching | Ensures DocumentDB cluster instances have automated minor version upgrades enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| anti-malware-edr | Ensures EC2 instances have anti-malware/EDR agents deployed | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization |
| ecr-repository-configure-image-scan | Checks that ECR repositories have ‘scan-on-push’ configured. | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization |
| ecr-repository-enable-image-scan | Checks that ECR repositories have ‘scan-on-push’ enabled. | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization |
| ecr-image-scanning | Ensures ECR repositories have image scanning enabled for vulnerability management | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization |
| ecs-task-definition-image-scanning | Ensures ECS task definitions use images from repositories with vulnerability scanning | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization |
| elb-load-balancer-configure-multi-availability-zone | Check that ELB Load Balancers uses more than one availability zone. | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| elb-load-balancer-enable-health-check | Check that ELB Load Balancers have a health check enabled. | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| rds-cluster-disallow-single-availability-zone | Check that RDS Cluster doesn’t use single availability zone. | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| rds-cluster-enable-backup-retention | Checks that RDS Clusters backup retention policy is enabled. | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| rds-instance-enable-backup-retention | Checks that RDS Instances backup retention policy is enabled. | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| kinesis-event-source-mapping-dlq | Ensures Kinesis Lambda event source mappings have DLQ configuration | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| rds-instance-high-availability | Ensures RDS instances have Multi-AZ deployment enabled for high availability | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| s3-bucket-replication | Ensures S3 buckets have replication configured for enhanced availability | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| sns-subscription-dead-letter-queue | Ensures SNS subscriptions have dead letter queue configuration | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
| sqs-dead-letter-queue | Ensures SQS queues have dead letter queue configuration | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
